[strongSwan] strongswan and a windows7 client without cert
Nickola Kolev
nikky at minus273.org
Sat Jun 18 15:00:20 CEST 2011
Hello,
I would very much like to setup a strongswan VPN gateway, which
authenticates Windows 7 clients with only a username and password via
Radius server (freeradius), and with no certs whatsoever. Is that
possible?
Currently I get to a point, where the Freeradius server receives an
Access-Request via strongswan, but the username there is the IP
address, which the client has - e.g. '=C0=A8=C9=0C' for 192.168.201.12.
As a result, no successful authentication is done.
Here's part of the strongswan's config:
conn roadwarrior-nat-ikev2
keyexchange=ikev2
left=%defaultroute
right=%any
rightsourceip=192.168.100.0/24
rightauth=eap-radius
rightsendcert=never
auto=start
So, the last thing I see in the logs from strongswan, is this:
Jun 18 13:46:28 vpnserver charon: 01[CFG] sending RADIUS Access-Request to server 'primary'
Jun 18 13:46:28 vpnserver charon: 01[CFG] received RADIUS Access-Challenge from server 'primary'
Jun 18 13:46:28 vpnserver charon: 01[IKE] initiating EAP_RADIUS method (id 0x01)
Jun 18 13:46:28 vpnserver charon: 01[IKE] peer supports MOBIKE
Jun 18 13:46:28 vpnserver charon: 01[IKE] no private key found for 'XX.XX.XX.68'
Jun 18 13:46:28 vpnserver charon: 01[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jun 18 13:46:28 vpnserver charon: 01[NET] sending packet: from XX.XX.XX.68[4500] to YY.YY.YY.216[4500]
>From this I'm guessing, that in fact I need a certificate,
nevertheless. Is it possible to have the strongswan daemon relay the
username to the freeradius daemon intact?
--
Regards,
Nick
More information about the Users
mailing list